[Snort-users] udp/4156

Peter Goodridge petegdr at ...131...
Tue Sep 24 07:46:05 EDT 2002


Colin,

UDP ports 1978, 2002, and 4156 are all used by the new
Apache/mod_ssl worm.  See www.cert.org.  If your
getting traffic from all over the planet your box is
probably compromised, and is being used against other
sites.

HTH,
Pete Goodridge

--- Colin Wu <wucolin at ...2181...> wrote:
> Hi Snorters,
> 
> Has anyone seen, or know what traffic might be using
> udp/4156 as both 
> source and destination? I had a look on the Internet
> Ports Database but 
> found no reference to it. A host on my network seems
> to be receiving a 
> lot of these from all over the planet. Not enough
> bandwidth usage to be 
> noticable but snort picked up "bad frag bits" on
> some of the packets.
> 
> -- 
>    __     _             _            Network Analyst
>   /  )   //            ' )   /       Computing &
> Information Services
>  /    __|/  o ____      / / / . .    McMaster
> University
> (__/ (_) \_<_/ / <_    (_(_/ (_/_    (905)525-9140
> ext 24050
>                                     
> http://netman.McMaster.CA
> Only get into a life boat if you have to step UP to
> get into it.
> 
> 
> 
> 
>
-------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com




More information about the Snort-users mailing list